Yet another Chrome zero-day exploited in the wild! (CVE-2023-5217)


Google has fixed another critical zero-day vulnerability (CVE-2023-5217) in Chrome that is being exploited in the wild.

About CVE-2023-5217

The vulnerability is caused by a heap buffer overflow in vp8 encoding in libvpx – a video codec library from Google and the Alliance for Open Media (AOMedia).

Heap buffer overflows can cause program crashes or arbitrary code execution.

CVE-2023-5217 has been fixed in Google Chrome 117.0.5938.132 for Windows, Mac and Linux users.

Google noted that the exploit for CVE-2023-5217 exists in the wild, so users are recommended to update as soon as possible.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.

The vulnerability has been reported by Clément Lecigne of Google’s Threat Analysis Group on September 25. As noted by his colleague Maddie Stone, the flaw is being used by a commercial surveillance vendor.

In this latest update, Google has also resolved two other high-severity flaws reported by researchers:

  • CVE-2023-5186 – A use after free (UAF) vulnerability in Passwords
  • CVE-2023-5187 – A use after free (UAF) vulnerability in Extensions

Recently exploited zero-days

Earlier this month, Apple patched two zero-day vulnerabilities (CVE-2023-41064, CVE-2023-41061) chained and exploited to deliver NSO Group’s Pegasus spyware to high-risk targets.

CVE-2023-41064 – a buffer overflow vulnerability in the ImageI/O framework – turned out to be the effectively the same flaw as CVE-2023-4863 – a Chrome zero-day heap buffer overflow vulnerability in WebP, because the source of the vulnerability is the libwebp library both companies implemented.

Google has first created a new CVE ID for the flaw in libwebp (CVE-2023-5129), but it was soon rejected or withdrawn for being a duplicate of CVE-2023-4863.





Source link